diff --git a/doc/source/running-your-own.rst b/doc/source/running-your-own.rst
index 2962b4c6c5..d6385cbff7 100644
--- a/doc/source/running-your-own.rst
+++ b/doc/source/running-your-own.rst
@@ -376,9 +376,7 @@ to bring up initially, so that's our next step.
 
 The platform specific slaves are named $platform-serial.slave.$PROJECT in
 site.pp. For instance, Python2.6 is not widely available now, so it runs on
-centos6-xx.slave.$platform nodes. There can be multiple slaves, and each
-gets their own puppet cert. The openstack/site.pp has a legacy setting for
-``certname`` that you should remove.
+centos6-xx.slave.$platform nodes.
 
 #. Migrate modules/openstack_project/manifests/slave.pp
    We reuse tmpcleanup as-is.
@@ -386,8 +384,6 @@ gets their own puppet cert. The openstack/site.pp has a legacy setting for
 #. Convert a slave definition in site.pp. Lets say
    ``/^centos6-?\d+\.slave\.openstack\.org$/``
 
-#. Remove the certname override - upstream are dropping this gradually.
-
 #. Launch a node, passing in --image and --flavor to get a node that you
    want :). e.g::
 
diff --git a/manifests/site.pp b/manifests/site.pp
index 2c80768300..4c29f55f0c 100644
--- a/manifests/site.pp
+++ b/manifests/site.pp
@@ -1188,7 +1188,6 @@ node /^zlstatic\d+\.openstack\.org$/ {
     iptables_rules6     => $iptables_rule,
     iptables_rules4     => $iptables_rule,
     sysadmins           => hiera('sysadmins', []),
-    puppetmaster_server => 'puppetmaster.openstack.org',
     afs                 => true,
   }
   class { 'openstack_project::zuul_launcher':
@@ -1217,7 +1216,6 @@ node /^zl\d+\.openstack\.org$/ {
     iptables_rules6     => $iptables_rule,
     iptables_rules4     => $iptables_rule,
     sysadmins           => hiera('sysadmins', []),
-    puppetmaster_server => 'puppetmaster.openstack.org',
     afs                 => true,
   }
   class { 'openstack_project::zuul_launcher':
diff --git a/modules/openstack_project/manifests/puppetmaster.pp b/modules/openstack_project/manifests/puppetmaster.pp
index 7b928978ee..b096bda8a1 100644
--- a/modules/openstack_project/manifests/puppetmaster.pp
+++ b/modules/openstack_project/manifests/puppetmaster.pp
@@ -194,27 +194,15 @@ class openstack_project::puppetmaster (
 
 # For puppet master apache serving.
   package { 'puppetmaster-passenger':
-    ensure => present,
+    ensure => absent,
   }
 
   file { '/etc/apache2/sites-available/puppetmaster.conf':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0600',
-    content => template('openstack_project/puppetmaster/puppetmaster_vhost.conf.erb'),
-    require => Package['puppetmaster-passenger'],
+    ensure  => absent,
   }
 
-# To set LANG to utf8, otherwise we get charset errors on manifests
-# with non-ascii chars
   file { '/etc/apache2/envvars':
-    ensure  => present,
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0444',
-    source  => 'puppet:///modules/openstack_project/puppetmaster/envvars.debian',
-    require => Package['puppetmaster-passenger'],
+    ensure  => absent,
   }
 
 # For launch/launch-node.py.
diff --git a/modules/openstack_project/manifests/server.pp b/modules/openstack_project/manifests/server.pp
index cc6509037d..ea4d0312cb 100644
--- a/modules/openstack_project/manifests/server.pp
+++ b/modules/openstack_project/manifests/server.pp
@@ -7,13 +7,11 @@ class openstack_project::server (
   $iptables_rules4           = [],
   $iptables_rules6           = [],
   $sysadmins                 = [],
-  $certname                  = $::fqdn,
   $pin_puppet                = '3.',
   $ca_server                 = undef,
   $enable_unbound            = true,
   $afs                       = false,
   $afs_cache_size            = 500000,
-  $puppetmaster_server       = 'puppetmaster.openstack.org',
   $manage_exim               = true,
   $pypi_index_url            = 'https://pypi.python.org/simple',
   $purge_apt_sources         = true,
diff --git a/modules/openstack_project/manifests/slave.pp b/modules/openstack_project/manifests/slave.pp
index 474a848149..19bc3bc927 100644
--- a/modules/openstack_project/manifests/slave.pp
+++ b/modules/openstack_project/manifests/slave.pp
@@ -2,7 +2,6 @@
 #
 class openstack_project::slave (
   $thin = false,
-  $certname = $::fqdn,
   $ssh_key = '',
   $sysadmins = [],
   $jenkins_gitfullname = 'OpenStack Jenkins',
@@ -20,7 +19,6 @@ class openstack_project::slave (
   class { 'openstack_project::server':
     iptables_public_tcp_ports => [19885],
     iptables_public_udp_ports => [],
-    certname                  => $certname,
     sysadmins                 => $sysadmins,
     afs                       => $afs
   }
diff --git a/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb b/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb
deleted file mode 100644
index dab50901da..0000000000
--- a/modules/openstack_project/templates/puppetmaster/puppetmaster_vhost.conf.erb
+++ /dev/null
@@ -1,60 +0,0 @@
-# This Apache 2 virtual host config shows how to use Puppet as a Rack
-# application via Passenger. See
-# http://docs.puppetlabs.com/guides/passenger.html for more information.
-
-# You can also use the included config.ru file to run Puppet with other Rack
-# servers instead of Passenger.
-
-# This file is basically the one shipped by puppet with changes annotated
-# below.
-
-# you probably want to tune these settings
-PassengerHighPerformance on
-PassengerMaxPoolSize 12
-PassengerPoolIdleTime 1500
-# This line is commented out by puppet and uncommented here to avoid a
-# memory leak.
-PassengerMaxRequests 1000
-PassengerStatThrottleRate 120
-
-Listen 8140
-
-<VirtualHost *:8140>
-        SSLEngine on
-        # This replaces puppet's default SSLProtocol spec to prevent POODLE
-        SSLProtocol             ALL -SSLv2 -SSLv3
-        SSLCipherSuite          ALL:!aNULL:!eNULL:!DES:!3DES:!IDEA:!SEED:!DSS:!PSK:!RC4:!MD5:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP
-        SSLHonorCipherOrder     on
-
-        SSLCertificateFile      /var/lib/puppet/ssl/certs/<%= @fqdn %>.pem
-        SSLCertificateKeyFile   /var/lib/puppet/ssl/private_keys/<%= @fqdn %>.pem
-        SSLCertificateChainFile /var/lib/puppet/ssl/certs/ca.pem
-        SSLCACertificateFile    /var/lib/puppet/ssl/certs/ca.pem
-        # If Apache complains about invalid signatures on the CRL, you can try disabling
-        # CRL checking by commenting the next line, but this is not recommended.
-        SSLCARevocationFile     /var/lib/puppet/ssl/ca/ca_crl.pem
-        # Apache 2.4 introduces the SSLCARevocationCheck directive and sets it to none
-        # which effectively disables CRL checking; if you are using Apache 2.4+ you must
-        # specify 'SSLCARevocationCheck chain' to actually use the CRL.
-        SSLCARevocationCheck chain
-        SSLVerifyClient optional
-        SSLVerifyDepth  1
-        # The `ExportCertData` option is needed for agent certificate expiration warnings
-        SSLOptions +StdEnvVars +ExportCertData
-
-        # This header needs to be set if using a loadbalancer or proxy
-        RequestHeader unset X-Forwarded-For
-
-        RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
-        RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
-        RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
-
-        DocumentRoot /usr/share/puppet/rack/puppetmasterd/public/
-        RackBaseURI /
-        <Directory /usr/share/puppet/rack/puppetmasterd/>
-                Options None
-                AllowOverride None
-                Order allow,deny
-                allow from all
-        </Directory>
-</VirtualHost>